Year: 2011

One question I get asked often is “How to determine what certificates are expiring?”. This is especially critical for certificates that are not enrolled for with autoenrollment. This is due to the fact that autoenrollment will renew certificates. However, when requesting a certificate for a server, often the Subject or SAN are supplied in the…

In this post I will cover migrating Enterprise Certification Authorities to Windows Server 2008 R2. These steps will work for Enterprise CAs regardless of whether they are a Root CA or a Subordinate CA. The assumptions I make in this blog is that Key Archival and Role Separation is not enabled. This posts also assumes…

In this segment I am going to cover upgrading Standalone Certification Authorities. Standalone Certification Authorities are Certification Authorities (CAs) that do not use certificate templates for forming and validating certificate requests. Standalone CAs can be joined to an Active Directory Domain or can be joined to a workgroup. In this segment I am going to…

Today, I am going to talk about some things that you should consider before upgrading your existing PKI. The first question is “Are you happy with your existing PKI?” PKI is a niche technology. Many organizations setup a PKI with limited experience with this technology. As such many times an organization’s PKI is not configured…

A lot of my customer site visits are for upgrading a customer’s PKI from Windows Server 2003 to Windows Server 2008 R2. I am going to cover the steps for upgrading a PKI in future postings in this series. However, before getting into the upgrade process, it is important to know why you may in…

I had been thinking about compiling a list of PKI references. However, I noticed Kurt Hudson has already done this work. So, if you are looking for a great list of PKI resources, here you go: http://social.technet.microsoft.com/wiki/contents/articles/windows-pki-documentation-reference-and-library.aspx -Chris

One headache for System Administrators has been renewing certificates generated from Offline Templates. Relief from this arduous task is available in Windows Server 2008 R2. Certificate Templates that are configured so that the requestor must provide the identity in the request are called “Offline” Certificate Templates. And one of the disadvantages to “Offline” Certificate Templates…